Chapter 5, Part I Risk Assessment: Internal Control Evaluation

Internal controls are designed to provide reasonable assurance that

Material errors or fraud will be prevented, or detected and corrected, within a timely period by employees in the course of performing their assigned duties.

When obtaining an understanding of an entity’s internal control, an auditor should concentrate on their substance rather than their form because

 Management may establish appropriate controls but not enforce compliance with them.

In obtaining an understanding of internal control in a financial statement audit, an auditor is not obligated to

Search for significant deficiencies in the operation of internal control.

Less Reliance on Internal Control:

higher control risk; higher RMM; ______ detection risk

lower

More Reliance on Internal Control;

lower control risk; lower RMM; ______ detection risk

higher _

What is the purpose of adequate internal controls?

To detect and prevent material errors or fraud in financial reporting.

Define internal control.

A process effected by an entity’s board, management, and personnel to provide reasonable assurance of achieving objectives in reporting reliability, operational effectiveness, and legal compliance.

Who retains authority over decisions and reviews management’s assignments?

The Board of Directors.

Who establishes directives, guidance, and controls?

Senior Management.

What is the role of outsourced service providers in internal control?

Follow management’s authority and responsibility.

What is the purpose of ICFR?

Reduce risk of material errors/fraud and support accurate reporting.

What level of assurance do internal controls provide?

Reasonable assurance (not foolproof).

What are three limitations of internal control?

Human error, management override, and collusion (plus cost-benefit).

What is management’s responsibility for internal controls?

Establish, maintain, assess, and report on effectiveness.

What is the auditor’s responsibility for internal controls? ( what is their job there)

Audit and issue an opinion on ICFR effectiveness.

What are the five COSO components of internal control?

Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring.

What is the foundation for all other internal control components?

Control Environment.

Deficiencies in the control environment are often linked to what?

Financial frauds.

What is risk in internal control?

The chance an event hurts organizational objectives.

What are control activities?

Policies and procedures to ensure management’s directives are met.

What are the two types of controls?

Preventive and detective.

What four functions are often segregated in duties?

Authorization, recording, custody, reconciliation.

What is information and communication in internal control?

Identifying, capturing, and sharing timely, relevant info.

What is monitoring in internal control?

Ongoing or separate evaluations of control performance.

What is the role of the audit committee?

Oversight, buffer between auditors and management, ensure independence.

Who serves on the audit committee?

3–6 outside board members, all financially literate, one expert

What are the three phases of internal control evaluation?

Understand/document, assess control risk, test controls.

What are entity-level controls?

Broad controls affecting the whole system (like monitoring or risk assessment).

What are transaction-level controls?

Controls over specific transactions, balances, or disclosures.

What is a design deficiency?

A missing or poorly designed control.

What is an operating deficiency?

A proper control not applied correctly or consistently.

What is a material weakness?

A likely chance a material misstatement won’t be prevented or detected timely.

What is a significant deficiency?

Less severe than a material weakness but still needs governance attention.

What does an unqualified opinion on ICFR mean?

Internal control is effective with no material weaknesses. (good)

What is an example of an internal risk? (think blue chart)

Management changes, poor business model, or IT changes.